Formal Modeling of Real-Time Systems with Data Processing

Formal Modeling of Real-Time Systems with Data Processing

Tam´as T´oth^∗ and Istv´an Majzik^† Budapest University of Technology and Economics, Department of Measurement and Information Systems,

Fault Tolerant Systems Research Group

Email:^∗totht@mit.bme.hu,^†majzik@mit.bme.hu

Abstract—The behavior of practical safety critical systems usually combines real-time behavior with structured data flow.

To ensure correctness of such systems, both aspects have to be modeled and formally verified. Time related behavior can be efficiently modeled and analyzed in terms of timed automata.

At the same time, program verification techniques like abstract interpretation and software model checking can efficiently handle data flow. In this paper, we describe a simple formalism that is able to model both aspects of such systems and enables the combination of formal verification techniques for real-time systems and software. We also outline a straightforward method for building efficient verifiers for the formalism based on the combination of analyses for the respective aspects.

I. INTRODUCTION

Ensuring the correctness of safety critical systems using formal verification is a challenging task as it requires formal modeling of the system in question, as well as the applica- tion of formal analysis techniques. Usually, the behavior of practical safety critical systems exhibits both real-time aspects (e.g. switching to an error state after a certain amount of time has passed since the last event occurred) and data flow (e.g.

branching on the value of a program variable or initializing a loop counter).

Time-related behavior can be conveniently modeled in terms of timed automata [1]. Model checkers for timed automata like UPPAAL [2] can efficiently verify models using dedicated data structures that represent abstractions over real-valued clock variables [3]. Usually, data variables are handled by encoding the data flow into the control flow [2], which only admits variables of finite domains, or alternatively by using a logical encoding [4]–[11] and then performing model checking by calling to decision procedures. In the latter case, the information about time-related behavior becomes implicit and efficiency depends mostly on the underlying solver.

On the other hand, state-of-the-art program verifiers [12] are designed to handle complex data flow, described in terms of a control flow automaton, and often use abstraction-refinement techniques [13] to handle variables of possibly infinite do- mains. However, they are not directly capable of verifying timed systems.

∗This work was partially supported by Gedeon Richter’s Talentum Foun- dation (Gy¨omr˝oi ´ut 19-21, 1103 Budapest, Hungary).

†This work was partially supported by the ARTEMIS JU and the Hungarian National Research, Development and Innovation Fund in the frame of the R5-COP project.

In this paper, to enable integration of verification techniques used in real-time verification and program verification, we define a formalism, Timed Control Flow Automata (TCFA), that is an extension ofControl Flow Automata(CFA) used in program verification, with notions of Timed Automata (TA), the prominent formalism of real-time verification. Its main ad- vantage is that it represents both data flow and timing explicitly and in a way that is similar to the original formalisms, thus enables the application of analyses that fit to the respective aspects. We define the syntax and semantics of the formalism, and describe how it relates to CFAs and TAs. Furthermore, we outline a simple method for combining analyses for the two formalisms to build efficient verifiers for TCFAs.

II. BACKGROUND ANDNOTATIONS

In this section, we describe the notations used in the paper.

A. Types

Let Type denote a set of types and Dom a map- ping from types to their semantic domains. We as- sume {bool,int,real} ⊆Type such that Dom(bool) =B, Dom(int) =ZandDom(real) =R.

B. Variables

Let Var be a set of program variables. Variables have types, expressed as function type :Var →Type. We abbre- viateDom(type(v))byDom(v). The set of variables of type τ ∈Type is denoted byVar(τ) ={v∈Var|type(v) =τ}. C. Expressions

Let Expr be a set of well-typed expressions over Var. An expressions can contain program variables v∈Var, log- ical connectives (true, false, ¬, ∨, ∧, →, ↔), quantifiers (∀x:τ .ϕ,∃x:τ .ϕ) and logical variables, interpreted function symbols (e.g.. 0, +, ·), interpreted predicate symbols (e.g.

=, <, ≤), uninterpreted function and predicate symbols, and type constructors and accessors in case the type system supports complex data types. Given an expression e∈Expr and a type τ ∈Type, we denote by e:τ iff e has type τ. Naturally, v:τ iff type(v) =τ for all variables v∈Var and types τ ∈Type. The set of formulas is denoted by Form={ϕ∈Expr |ϕ:bool}.

46

D. States

A concrete data stateS ∈Stateis a mapping from variables to values such that S(x)∈Dom(x) for all x∈Var. We also extend this notion to arbitrary expressions. For a state S ∈State and formula ϕ∈Form, we denote by S |=ϕiff S(ϕ) = 1.

E. Statements

Let Stmt denote the set of statements. Although our for- malization admits arbitrary structured statements, for the sake of simplicity we assume that statements are of the form

s::= [ϕ] | v :=e | havocv | s; s

where v∈Var, e∈Expr and ϕ∈Form. Statement [ϕ]

is an assume statement, v:=e is an assignment of eto v, havocv is an assignment of an arbitrary value of a suitable type to v, ands; sis a sequential statement.

The semantics of statements can be expressed by the (not necessarily total) semantic function Succ:State×Stmt→ P(State) that assigns to a state S ∈State and a statements∈Stmt a set of successor states Succ(S, s). It can be defined as

• {S} ifs= [ϕ]andS |=ϕ

• ∅ ifs= [ϕ]andS 6|=ϕ

• {S⁰∈State| S⁰=S[v←[S(e)]} ifs=v:=e

• {S⁰∈State| S⁰=S[v←[x] for somex∈Dom(v)}

ifs=havocv

• {S⁰⁰∈State| S⁰∈Succ(S, s1)andS⁰⁰∈Succ(S⁰, s2) for someS⁰∈State} ifs=s1;s2

F. Timed Automata

Timed automata [1] is a widely used formalism for modeling real-time systems. A TA is a tuple (Loc,Clock, ,→,Inv, `0) where

• Loc is a finite set of locations,

• Clock is a finite set of clock variables.

• ,→ ⊆Loc×ClockConstr× P(Clock)×Loc is a set of transitions where for (`, g, R, `⁰)∈,→,g is a guard and R is a set containing clocks to be reset,

• Inv :Loc→ClockConstris a function that maps to each location an invariant condition over clocks, and

• `0∈Loc is the initial location.

Here, ClockConstr denotes the set of clock constraints, that is, formulas of the form xi∼0 and xi−xj ∼c where xi, xj∈Clock,∼ ∈ {<,≤,=.}andc is an integer literal.

The operational semantics of a TA can be defined as a labeled transition system(S,Act,→, I)where

• S=Loc×State is the set of states,

• I ={`0}×{S ∈State| S(x) = 0for allx∈Clock and S |=Inv(`0)} is the set of initial states,

• Act=R≥0∪ {α}, whereα denotes discrete transitions,

• and a transition t∈ → of the transition relation

→ ⊆S×Act×S is either a delay transition that in- creases all clocks with a valueδ≥0:

`∈Loc δ≥0 S<sup>0</sup>=Delay(S, δ) S<sup>0</sup> |=Inv(`) (`,S)−→<sup>δ</sup> (`,S⁰)

or a discrete transition:

`,−−→<sup>g,R</sup> `⁰ S |=g S⁰=Reset(S, R) S⁰|=Inv(`<sup>0</sup>) (`,S)−→^α (`⁰,S⁰)

Here, Delay:State×R≥0→State assigns to a state S ∈State and a real numberδ ≥0 a stateDelay(S, δ)such that

Delay(S, δ)(v) =

(S(v) +δ ifv∈Clock S(v) otherwise

Moreover,Reset(S, R)models the effect of resetting clocks in Rto0 in stateS ∈State:

Reset(S, R)(v) =

(0 ifv∈R S(v) otherwise G. Control Flow Automata

In program analysis, programs are modeled in terms of control flow automata. Syntactically, a CFA is a tuple (Loc,Var, ,→, `0)where

• Loc is a finite set of program locations,

• Var is a set of program variables,

• ,→ ⊆Loc×Stmt×Loc is a set of control flow edges, and

• `0∈Locis the initial location.

The operational semantics of a CFA then can be con- veniently expressed in terms of a labeled transition system (S,Act,→, I)where

• S=Loc×State is the set of states,

• I ={`0} ×State is the set of initial states,

• Act=Stmt,

• and the transition relation → ⊆S×Act×S is defined by the rule

`,−→<sup>s</sup> `⁰ S⁰∈Succ(S, s) (`,S)−→<sup>s</sup> (`⁰,S⁰) H. Abstract Semantics

To ensure efficiency or termination, modern model checkers and program analyzers check abstractions of systems, ex- pressed in terms of abstract domains. An abstract domain is a triple(S,E, γ)where

• S is the set of concrete states,

• E = (E,>,⊥,v,t) is a semi-lattice over the set of abstract states E with a top element > ∈E, a bottom element⊥ ∈E, a preorderv ⊆E×Eand a join oper- atort:E×E→E, and

• γ:E→ P(S)is the concretization function that assigns to each abstract state the set of concrete states it repre- sents.

47

Given a transition system(S,Act,→, I)for the concrete se- mantics, the abstract semantics w.r.t.Eandγcan be expressed as a transition system(E,Act, , γ(I)). For soundness of the analysis, the following properties must hold:

• γ(>) =S andγ(⊥) =∅,

• γ(e1)∪γ(e2)⊆γ(e1te2)for alle1, e2∈E, and

• S

s∈γ(e){s⁰ ∈S |s−→^α s⁰} ⊆S

e^αe⁰γ(e⁰)for all e∈E and α∈Act.

The abstract transition relation ⊆E×Act×E is also called a transfer relation.

A verifier can then analyze the system by exploring the abstract state space and applying abstraction refinement [13]

in case of a spurious error path that cannot be simulated according to the concrete semantics.

III. TIMEDCONTROLFLOWAUTOMATA

To extend CFAs with timed behavior, we assume clock ∈ Type for a distinguished type clock such that Dom(clock) =R≥0. This enables modeling of a clock vari- able as a regular program variable of type clock. In his context, Clock=Var(clock).

A. Syntax

A TCFA is a tuple(Loc,Urg,Var, ,→,Inv, `0)where

• (Loc,Var, ,→, `0)is a CFA (with clock∈Type),

• Urg ⊆Loc is a set of urgent locations that model loca- tions where time shouldn’t pass, and

• Inv :Loc→Form is a function that maps invariants to locations.

Moreover, we assume that all atomic formulas that contain clock variables are clock constraints.¹

As can be seen from the definition, a TCFA can either be considered a CFA extended with clock variables, urgent locations and location invariants, or alternatively, as a gener- alized TA where guards and clock resets are represented as statements. As a consequence, optimizations from both areas (e.g. large block encoding [14]) might be applicable.

As an example, Figure 1 depicts Fischer’s protocol as a TCFA. Here,a,b andiare constant values of typeint.

Fig. 1. Fischer’s protocol as a TCFA

1Note that the formalism is sensible even if this assumption is not made.

However, in order to apply the theory of timed automata for verification, it has to be assumed.

B. Concrete Semantics

The semantics of a TCFA is(S,Act,→, I)where

• S={`0} ×State,

• I ={(`0,S<sup>0</sup>)∈S| S<sup>0</sup>|=Inv(`0)},

• Act=Stmt∪R≥0,

• and a transition t∈ → of the transition relation

→ ⊆S×Act×S is either a delay transition that in- creases all clocks with a valueδ≥0:

`∈Loc\Urg δ≥0 S<sup>0</sup> =Delay(S, δ) S<sup>0</sup>|=Inv(`) (`,S)−→<sup>δ</sup> (`,S⁰)

or a discrete transition that models the execution of a statements∈Stmt:

`,−→<sup>s</sup> `⁰ S⁰∈Succ(S, s) S⁰|=Inv(`<sup>0</sup>) (`,S)−→^s (`⁰,S⁰)

C. Abstract semantics

The abstract semantics of a TCFA can simply be defined by extending the transfer relation with transitions that abstract time delay. For TCFAs, the transfer relation is of the form

⊆E×(Stmt∪ {delay})×E, and the following addi- tional property holds:

• S

s∈γ(e){s⁰∈S|s−→^δ s⁰} ⊆S

e^delaye⁰γ(e⁰)for alle∈E andδ ∈R≥0.

Alternatively, for the analysis of reachability properties, an abstract combined step semantics [7] can be defined where a transition is a combination of a single delay and a discrete transition.

D. Connection to TAs and CFAs

The formulation above admits a simple description of both CFAs and TAs. A timed automaton can be considered a TCFA whereClock =Var,Urg=∅and only statements of the form [ϕ]( ; x:= 0)^∗ are allowed where x∈Clock. Here, [ϕ] is a guard andx:= 0is a clock reset. A CFA on the other hand is a TCFA where Clock =∅,Urg=Locand Inv(`) =true for all`∈Loc.

Moreover, given a TCFA withInv(`0) =true, it can be transformed to a semantically equivalent CFA by applying the following simple steps:

• Eliminating clock variables. For all variables x:clock of the TCFA, the CFA has a variablex:real_≥0such that Dom(real_≥0) =Dom(clock) =R≥0.

• Eliminating location invariants. For all edges (`, s, `⁰) of the TCFA, the CFA has an edge (`,[Inv(`)] ; s; [Inv(`<sup>0</sup>)], `⁰). Naturally, invariants equivalent to truecan be omitted.

• Simulating delay. For all locations `∈Loc\Urg of the TCFA, the CFA has an edge(`,delay, `)that simulates delay steps. Here, delaystands for the statement

havocδ;x1:=x1+δ; . . . ;xn:=xn+δ; [Inv(`)]

48

where δ:real_≥0 is a distinguished delay variable and {x1, . . . , xn}=Clock.

Figure 2 shows the resulting CFA for Fischer’s protocol.

Fig. 2. Fischer’s protocol as a CFA

E. Reachability Analysis of TCFAs

The main advantage of the above formulation is that it admits verifiers to be built compositionally, in the spirit of configurable program analysis [15]. More precisely, given abstractions Edata for data variables and Etime for clock variables with respective transfer relations data and time, a simple analysis can be built that explores the two aspects independently and is a full-fledged verifier for the complete system. Here, Edata is basically a verifier for software that operates on CFAs, andE^time a verifier for timed automata.

As a simple example, Figure 3 illustrates the abstract state space of Fischer’s protocol whereEdatais predicate abstraction over a single predicate lock = i (for i 6= 0), and Etime

is zone abstraction. With both timing and data handled with an appropriate abstraction, a compact over-approximation of the concrete state space is obtained that enables sound and efficient reachability analysis of the system.

IV. CONCLUSIONS ANDF^UTUREW^ORK

In this paper, we have described the formalism of timed control flow automata that is an extension of control flow automata with notions of timed automata. We have compared it to the original formalisms, and highlighted a simple method to build verifiers for the formalism by combining verifiers for CFAs and TAs.

In the future, we plan to implement such combined analyses and investigate them in depth. Moreover, to enable modeling of industrial systems, the formalism can be extended with syntax and semantics for parametric behavior and concurrency based on shared variables and handshake synchronization.

R^EFERENCES

[1] R. Alur and D. L. Dill, “A theory of timed automata,” Theoretical Computer Science, vol. 126, no. 2, pp. 183–235, 1994.

[2] G. Behrmann, A. David, K. G. Larsen, J. H˚akansson, P. Petterson, Y. Wang, and M. Hendriks, “UPPAAL 4.0,” in Third International Conference on the Quantitative Evaluation of Systems - (QEST’06).

IEEE, 2006, pp. 125–126.

[3] J. Bengtsson, J. Bengtsson, W. Yi, and W. Yi, “Timed automata:

Semantics, algorithms and tools,” inLectures on Concurrency and Petri Nets, 2004, vol. 3098 LNCS, pp. 87–124.

Fig. 3. Abstract Reachability Graph for Fischer’s protocol

[4] G. Morb´e, F. Pigorsch, and C. Scholl, “Fully Symbolic Model Checking for Timed Automata,” inComputer Aided Verification, 2011, vol. 6806 LNCS, pp. 616–632.

[5] A. Carioni, S. Ghilardi, and S. Ranise, “MCMT in the Land of Parameterized Timed Automata,” Proceedings of VERIFY, pp. 1–16, 2010.

[6] R. Kindermann, T. Junttila, and I. Niemel¨a, “Beyond Lassos: Complete SMT-Based Bounded Model Checking for Timed Automata,” inFormal Techniques for Distributed Systems, 2012, pp. 84–100.

[7] ——, “SMT-based Induction Methods for Timed Systems,” Formal Modeling and Analysis of Timed Systems, vol. 7595 LNCS, pp. 171–

187, 2012.

[8] T. Isenberg and H. Wehrheim, “Timed Automata Verification via IC3 with Zones,” inFormal Methods and Software Engineering, 2014, pp.

203–218.

[9] T. Isenberg, “Incremental Inductive Verification of Parameterized Timed Systems,” in Application of Concurrency to System Design (ACSD), 2015, pp. 1–9.

[10] K. Hoder and N. Bjørner, “Generalized Property Directed Reachability,”

inTheory and Applications of Satisfiability Testing SAT 2012, vol. 7317 LNCS, 2012, pp. 157–171.

[11] H. Hojjat, P. R¨ummer, P. Subotic, and Wang Yi, “Horn Clauses for Communicating Timed Systems,”Electronic Proceedings in Theoretical Computer Science, vol. 169, pp. 39–52, 2014.

[12] D. Beyer, “Software Verification and Verifiable Witnesses,” inTools and Algorithms for the Construction and Analysis of Systems, 2015, vol. 9035 LNCS, pp. 401–416.

[13] E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, “Counterexample- guided abstraction refinement for symbolic model checking,”Journal of the ACM, vol. 50, no. 5, pp. 752–794, 2003.

[14] D. Beyer, A. Cimatti, A. Griggio, M. E. Keremoglu, S. F. Univers, and R. Sebastiani, “Software Model Checking via Large-Block Encoding,”

inFormal Methods in Computer-Aided Design, 2009, pp. 25–32.

[15] D. Beyer, T. A. Henzinger, and G. Th´eoduloz, “Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis,” in Computer Aided Verification, 2007, vol. 4590 LNCS, pp. 504–518.

49